From f5a917f0b41e03b86f8bf6f887b5ad4bb7a4ec12 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Thu, 10 Aug 2023 17:58:02 +0200 Subject: [PATCH] feat: support policy-optimizer Extend the RBAC roles assigned to the `policy-server` Service Account. Grant access to the resources required by `policy-optimizer`. Signed-off-by: Flavio Castelli --- .../templates/policy-server-rbac.yaml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/charts/kubewarden-defaults/templates/policy-server-rbac.yaml b/charts/kubewarden-defaults/templates/policy-server-rbac.yaml index c95ff489..22adee82 100644 --- a/charts/kubewarden-defaults/templates/policy-server-rbac.yaml +++ b/charts/kubewarden-defaults/templates/policy-server-rbac.yaml @@ -46,3 +46,60 @@ roleRef: kind: ClusterRole name: kubewarden-context-watcher apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: policy-optimizer-leader-election-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubewarden-defaults.labels" . | nindent 4 }} + app.kubernetes.io/component: policy-server + annotations: + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: policy-optimizer-leader-election-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubewarden-defaults.labels" . | nindent 4 }} + app.kubernetes.io/component: policy-server + annotations: + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-optimizer-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ .Values.policyServer.serviceAccountName }} + namespace: {{ .Release.Namespace }} +